At 03:01 PM 3/22/2001 -0800, you wrote:
>The user is a very high political figure who is real cautious about security
>and paranoid. I like the idea of a seperate nic in the server and two
>subnets. The cost of switches could be a deciding factor. Thanks for the
>input guys!
>
>Brad
It's scary to find someone that's paranoid and demanding about security,
yet doesn't want to pay for it. I'd like to assume that such a person, of
course,
have done everything they should about making their host secure, including
encrypting the sensitive files, rather than just obsessing about the network.
Of course, I've also had a customer that insisted on being BGP multihomed
to two providers, connected to one provider at two sites and having
redundant SONET local loops at one of the site, yet only had one physical
server. Yes, they had a tape backup on the server. No, they had no spare
machine to which they could restore the tape.
>-----Original Message-----
>From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, March 22, 2001 12:44 PM
>To: [EMAIL PROTECTED]
>Subject: Re: Vlan Question
>
>
>At 02:01 PM 3/22/2001 -0600, you wrote:
> >We'll he could be wanting to isolate consultants to their own VLAN but have
> >a need to update files on the server. In our case we have auditors come in
> >from time to time and so we don't want them in with the rest of the world
>so
> >we isolate them in their own VLAN and then setup an access list. They are
> >only here temporary. So I could see how this is a legit question.
>
>but if the server isn't on the same VLAN, how do they get to it? How does
>it get to them?
>
>Routing between VLANs, and VLAN-aware NICs, are pretty much the
>only alternatives. VLANs were introduced to isolate groups, but there's
>nothing magical about them.
>
>If there is sensitive data around, you also want host-level security.
>
>
>
>
> >""Howard C. Berkowitz"" <[EMAIL PROTECTED]> wrote in message
> >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > At 08:26 AM 3/22/2001 -0800, you wrote:
> > > >Scenario:
> > > > Got a client who has a person on the network that does not
>want
> >to
> > > >be on the network but wants access to the server.
> > >
> > > I'm somewhat confused. First, if he is somehow hidden, how does the
>server
> > > send back to the client?
> > >
> > > Second, if he is on one VLAN/subnet and the server is on another,
> > > sounds like a fairly basic routing application. Another would be to
> > > have a VLAN-aware NIC on the server.
> > >
> > > Without further information, this sounds like a user whim rather than
> > > a real requirement. There's a flavor of the user wanting security
> > > by obscurity.
> > >
> > > >My thought was to install
> > > >a switch, setup to Vlans, one for all the users (10 or so) and the
>second
> > > >Vlan for the 1 user by himself. This way no one can get to his machine,
> >then
> > > >setup an access list to permit his Vlan to access the first Vlan and
>deny
> > > >all the other users to his Vlan. Does this sound right? Anything I am
> > > >missing? Seeing if I understand Vlans correctly or not.
> > > >
> > > >Brad Shifflett
> > > >[EMAIL PROTECTED]
> > > >Micromenders, Inc.
> > > >
> >
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
